devices.rst - OpenGrok cross reference for /Linux-v6.6/Documentation/admin-guide/cgroup-v1/devices.rst

Lines Matching +full:3 +full:a
8 Implement a cgroup to track and enforce open and mknod restrictions
9 on device files.  A device cgroup associates a device access
10 whitelist with each cgroup.  A whitelist entry has 4 fields.
11 'type' is a (all), c (char), or b (block).  'all' means it applies
13 either an integer or * for all.  Access is a composition of r
16 The root device cgroup starts with rwm to 'all'.  A child device
17 cgroup gets a copy of the parent.  Administrators can then remove
18 devices from the whitelist or add new entries.  A child cgroup can
19 never receive a device access which is denied by its parent.
27 	echo 'c 1:3 mr' > /sys/fs/cgroup/1/devices.allow
32 	echo a > /sys/fs/cgroup/1/devices.deny
34 will remove the default 'a *:* rwm' entry. Doing::
36 	echo a > /sys/fs/cgroup/1/devices.allow
38 will add the 'a *:* rwm' entry to the whitelist.
40 3. Security
46 to require CAP_SYS_ADMIN, which at least is a separate bit from
47 CAP_MKNOD.  We may want to just refuse moving to a cgroup which
48 isn't a descendant of the current one.  Or we may want to use
52 task to a new cgroup.  (Again we'll probably want to change that).
54 A cgroup may not be granted more permissions than the cgroup's
60 device cgroups maintain hierarchy by making sure a cgroup never has more
62 a cgroup's devices.deny file, all its children will have that entry removed
69       A
74     A            allow		"b 8:* rwm", "c 116:1 rw"
75     B            deny		"c 1:3 rwm", "c 116:2 rwm", "b 3:* rwm"
77 If a device is denied in group A::
79 	# echo "c 116:* r" > A/devices.deny
85     A            all                                      "b 8:* rwm", "c 116:* rw"
86     B            "c 1:3 rwm", "b 3:* rwm"                 all the rest
93       A
98     A            "c 1:3 rwm", "c 1:5 r"                   all the rest
99     B            "c 1:3 rwm", "c 1:5 r"                   all the rest
101 when adding ``c *:3 rwm``::
103 	# echo "c *:3 rwm" >A/devices.allow
108     A            "c *:3 rwm", "c 1:5 r"                   all the rest
109     B            "c 1:3 rwm", "c 1:5 r"                   all the rest
113 	# echo "c 2:3 rwm" >B/devices.allow
114 	# echo "c 50:3 r" >B/devices.allow
118 	# echo "c *:3 rwm" >B/devices.allow
120 Allowing or denying all by writing 'a' to devices.allow or devices.deny will
126 device cgroups is implemented internally using a behavior (ALLOW, DENY) and a